Establishing a Corporate Email Policy

Not
all misuse of organizational email systems comes from external sources.
Employees improperly utilizing a messaging system can put a company at
risk as well, either by overloading the sytem, passing confidential
data to nonauthorized personnel, or passing material that is offensive
in nature, potentially exposing the organization to lawsuits from other
personnel.

Established and documented
corporate email policies are used to govern and enforce the appropriate
use of the messaging environment. However, like most security policies,
they cannot be effective if they are not created, approved,
implemented, and communicated to the user community.

Note

Corporate
email policies not only define how the system can and should be used;
they also limit an organization’s liability in the event of misuse.

The following are possible considerations and guidelines to include in the corporate email policy:

Personal usage—
The policy should state whether emails of a personal nature are
accepted and, if so, to what extent. Some companies place a limit on
the number of personal emails that can be sent each day. Others require
personal emails to be stored in a separate folder within the email
system. Most companies allow the sending and receiving of personal
emails because this is often less time consuming than requiring
employees to access external mail sources for personal communications.

Expectation of privacy—
A corporate email policy should plainly state that the messages
contained within the system are the property of the organization, and
that no expectation of privacy is implied. Email records can be
subpoenaed, mailboxes can be reviewed for appropriate use, or data can
be retrieved in the event of the termination of someone’s employment.
By setting the expectation up front, you can make it clear to your
users that the email system is a tool for their use, but the messages
contained do not belong to them.

Email monitoring—If
the organization monitors the content of its employees’ emails, this
should be stated in the email policy. Most countries and states allow
the monitoring of corporate email by authorized individuals, as long as
the employee has been made aware of the policy.

Prohibited content—
The policy should state that the email system is not to be used for the
distribution of offensive or disruptive messages. This includes
messages containing inappropriate content such as comments about race,
religion, gender, or sexual orientation. The policy should also clearly
state that pornographic pictures or emails with sexual content will not
be tolerated, as these items are commonly the cause of offense between
employees. The policy should mandate that employees receiving any such
materials should report them to their supervisor or another appropriate
entity for review immediately.

Confidential data—
Employees should not use the messaging system to discuss sensitive
matter, such as potential acquisitions or mergers. Corporate secrets or
other proprietary data should not be sent either, as an inadvertent
forward could allow the sensitive data to pass to inappropriate
personnel.

Email retention policies—
Many organizations, especially government, health-care, and financial
institutions, are required by law to meet or exceed certain email
retention policies. These policies should be clearly stated and
meticulously enforced. Allowances should be made for employees to save
messages of a critical nature—often companies allow them to be saved in
separate folders to avoid automatic deletion.

Point of contact— The email policy should clearly state where employees can go to have any questions about the corporate email policy answered.

Bear
in mind, a corporate email policy that is unknown to the user community
is not an effective one. The policy should be distributed to the users
in a variety of ways, such as posting on an intranet site, in employee
handbooks, on break room bulletin boards, or in company newsletters.

Securing Exchange Server 2007 Through Administrative Policies

Whereas
a corporate email policy specifically governs the use of the messaging
system for users, administrative policies govern the operation and
usage of the messaging system in general. Many best practices have been
worked out over the years, some of which are as follows:

Administrative and operator accounts should not have mailboxes—
Many viruses and email worms rely on the permissions of the
authenticated user to perform. If the user opening the message has
administrative access to the computer, there is a much greater
potential for danger.

Grant permissions to groups rather than users—
By granting permissions to groups, rather than users, you can quickly
grant or deny access to a wide range of resources with one change. For
example, if your Human Resources department has hundreds
of files, in dozens of directories throughout your network, you would
have to add (or remove) an individual from the permissions from each
of these folders when they join or depart the team. However, by
granting the permissions instead to an HR group, and then giving the group permissions, you can now modify access simply by adding the user to, or removing them from, the group.

Require complex (strong) passwords for all users—
If left to their own devices, many users select passwords that are easy
for them to remember. However, this behavior results in passwords that
are also very easy for malicious users to crack. By requiring complex
passwords, consisting of upper- and lowercase letters, numbers, and
special characters, the likelihood of a breach of security is greatly
reduced.

Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, NNTP, and LDAP clients—
The SSL encryption protects confidential or personal information sent
between a client and a server. The SSL protocol uses a combination of
public-key and symmetric-key encryption. Symmetric-key encryption is
much faster than public-key encryption; however, public-key encryption
provides better authentication techniques.

Set policies globally when possible—
Rather than setting policies for individual users or groups,
companywide policies should be set, whenever possible, at a global
level to ensure compliance.

Securing Groups

An
important step in securing your messaging environment is to secure
distribution and mail-enabled security groups. For instance, CompanyABC
is a medium-sized company with 1,000 users. To facilitate companywide
notifications, the HR department created a distribution group called
“All Employees,” which contains all 1,000 employees. By default, there
are no message restrictions for new groups, meaning that anyone can
send to this list. If CompanyABC has an Internet Mail SMTP Connector,
this group will also have an SMTP address.

Consider
what would happen if a new user sent an email to “All Employees”
advertising a car for sale. Let’s take it one step further and imagine
that the user sent it with a read receipt and delivery notification
requested. Thousands of messages can now be generated from this one
mistake and could negatively impact server performance.

Often,
intentions are not as innocent as the new user simply making a mistake.
Sending repeated email messages to mail-enabled groups with large
memberships is sometimes used in an attempted denial of service (DoS)
attack. The attacker sends an SMTP message to the “All Employees” group
with a delivery notification receipt requested and spoofs the “Return
to” address with the same SMTP address used for the distribution group.
So, 1,000 messages are sent, and 1,000 delivery notifications are
returned—each of which is then sent to all 1,000 users in the group!
From this one spoofed message, the net effect is (1 + 1000) + (1000 *
1000)=1,001,001 messages! By spoofing the distribution list and
including a delivery notification receipt, this single email results in
over 1 million messages processed by the system.

Fortunately,
for this easy problem, there is an even easier solution. Exchange
Server 2007 allows you to configure message restrictions on your
distribution groups.

To secure distribution groups so that only authenticated users can use it, do the following:

1.

Open the Exchange Management Console.

2.

In the console tree, under Recipient Configuration, click Distribution Group.

3.

In the results pane, select the distribution group you want to modify, and then click Properties.

In the console tree, under Recipient Configuration, click Distribution Group.

3.

In the results pane, select the distribution group you want to modify, and then click Properties.

4.

5.

Under Accept Messages From, select the Only Senders in the Following List option button.

6.

Click Add, and select the users or groups that are to have permission to send to the distribution group.

7.

Click OK when finished, and then click OK again to exit the configuration screen.

An
additional option allows you to configure the distribution list to
reject messages from an individual or from members of a group. This
setting is also configured using the Message Delivery Restrictions page.